Date: 12 Jul 2013

Beyond eCK: perfect forward secrecy under actor compromise and ephemeral-key reveal

Rent the article at a discount

Rent now

* Final gross prices may vary according to local VAT.

Get Access


We show that it is possible to achieve perfect forward secrecy (PFS) in two-message or one-round key exchange (KE) protocols even in the presence of very strong active adversaries that can reveal random values of sessions and compromise long-term secret keys of parties. We provide two new game-based security models for KE protocols with increasing security guarantees, namely, eCK \(^{w}\) and eCK-PFS. The eCK \(^{w}\) model is a slightly stronger variant of the extended Canetti–Krawczyk (eCK) security model. The eCK-PFS model captures PFS in the presence of eCK \(^{w}\) adversaries. We propose a security-strengthening transformation (i. e., a compiler) from eCK \(^{w}\) to eCK-PFS that can be applied to protocols that only achieve security in a weaker model than eCK \(^{w}\) , which we call eCK \(^{\text {passive}}\) . We show that, given a two-message Diffie–Hellman type protocol secure in eCK \(^{\text {passive}}\) , our transformation yields a two-message protocol that is secure in eCK-PFS. We demonstrate how our transformation can be applied to concrete KE protocols. In particular, our methodology allows us to prove the security of the first known one-round protocol that achieves PFS under actor compromise and ephemeral-key reveal.

Communicated by C. Boyd.